Security researchers have discovered a new malware strain targeting WordPress sites that includes some pretty clever techniques, such as removing competing malware and updating the victim’s site.
Known as BabaYaga, this malware strain isn’t new, but recent updates have transformed this former low-key player into a considerable foe for WordPress site administrators.
The virus itself is presented in two parts, one appears as spam ads on the affected site, and for the second attackers have full control over the infected page.
The malware is controlled by a central command and control server (C2 server) which
allows the attacker to control thousands of sites and use them to generate affiliate
revenue. This malware variant even goes to the trouble of reporting back to the C2 server
how many pages an infected site has indexed by Google, Bing, Yahoo and Yandex, to
determine the SEO value of an infected site.
The malware can access a certain URL on the C2 server and retrieve the newest variant
of itself. Once it has downloaded the code, the malware runs a function to randomize
variable and function names in order to avoid detection and overwrites itself with the new
The malware appears to be Russian in origin. When its configuration file is decoded, at least one of the array keys is a transliteration of a Russian word for “backlink”. Many of the domains on the command and control servers are .ru domains. Some of the core domains are registered to an email address @yandex.ru
For a full detailed description of this malware click here
Command And Control Servers